Permissions for cross account Amazon SNS topics - Amazon DevOps Guru

Permissions for cross account Amazon SNS topics

Use the information in this topic only if you want to configure Amazon DevOps Guru to deliver Amazon SNS topics owned by a different account than yours. DevOps Guru must have permissions to send notifications to an Amazon SNS topic. DevOps Guru adds the required policy on your behalf to send notifications using Amazon SNS topics in your AWS account.

Note

DevOps Guru currently only supports cross-account access in the same Region.

If you want to use an Amazon SNS topic from another account, you must attach the following policy to the existing Amazon SNS topic.

{ "Version": "2012-10-17", "Statement": [ { "Action": "sns:Publish", "Effect": "Allow", "Resource": "arn:aws:sns:region-id:topic-owner-account-id:my-topic-name", "Principal": { "Service": "region-id.devops-guru.amazonaws.com" } }, { "Action": "sns:Publish", "Effect": "Allow", "Resource": "arn:aws:sns:region:topic-owner-account-id:my-topic-name", "Principal": { "AWS": "arn:aws:iam::topic-sender-account-id:user/devops-guru-user-name" } } ] }

For the Resource key, topic-owner-account-id is the account ID of the topic owner, topic-sender-account-id is the account ID of the user who set up DevOps Guru, and devops-guru-user-name is the individual IAM user. You must substitute appropriate values for region-id (for example, us-west-2) and my-topic-name.